Dear Engineer. You failed your licensing exam. Open this document to learn more.

Share this story

A new piece of advanced espionage malware, possibly developed by a nation-supported attacker, targeted three US companies in the utilities industry last month, researchers from security firm Proofpoint reported on Thursday.

Employees of the three unnamed companies, Proofpoint reported, received emails purporting to come from the National Council of Examiners for Engineering and Surveying. This non-profit group develops, administers, and scores examinations used in granting licenses for US engineers. Using the official NCEES logo and the domain nceess[.]com, the emails said that the recipients failed to achieve a passing score on a recent exam. The attached Word document was titled Result Notice.doc.

Proofpoint

Malicious macros embedded into the document attempted to install a package of full-featured malware Proofpoint calling LookBack. Components included a remote-access trojan written in C++ and a proxy tool for communicating with a command-and-control server. Once LookBack was installed, it gave attackers a full range of capabilities that include:

Get process listing

Kill process

Execute cmd[.] exe commands

Get drive type

Find files

Read files

Delete files

Write to files

Execute files

Enumerate services

Start services

Delete services

Take a screenshot of the desktop

Move/Click Mouse and take a screenshot

Exit

Remove self

Shutdown

Reboot

Beyond its wide-ranging capabilities, LookBack was advanced for other reasons. The command server proxy could impersonate WinGup, an open source updater that's used by Notepad++ in an attempt to camouflage itself. Another way LookBack avoided detection: a dynamic link library appeared to be a legitimate DLL file for the software tool libcurl except for a single exported function. The attackers used the function to extract encrypted data in the DLL to carry out communications and establish persistence on the infected computer.

Sherrod DeGrippo, Proofpoint's senior director of threat research and detection, said her company was able to block all phishing attempts used against the three customers in this campaign. The researcher said it's not clear if there were other targets or if any of them were infected.

Proofpoint said that the macros found in the Word document are similar to ones used in targeted attacks against Japanese businesses last year. Specifically: the macros, written in the Visual Basic for Applications language, used a large number of concatenation commands, possibly in an attempt to evade detection of the malicious macros. The macro pictured immediately below is from 2018. The one below that was used in the attacks from last month.

Proofpoint

According to security firm FireEye, an advanced persistent threat group operating out of China, called APT10 or Menupass, carried out the 2018 attacks against Japanese businesses.

"The macros used in the incident described by Proofpoint are highly similar to the macros used by APT10 in 2018," FireEye Principal Analyst Sarah Jones said in an emailed statement. "We also concur that the malware is, in fact, different than what was used previously in 2018. At this time, we cannot definitively attribute this to APT10 or any other named group."

While it's still not clear precisely who is behind the recent campaign, there's little doubt it poses a significant threat given its target.

"The detection of a new malware family delivered using phishing tactics once used by known APT adversaries highlights a continuing global risk from nation-state actors," Proofpoint researchers Michael Raggi and Dennis Schwarz wrote. "While definitive attribution in this instance requires further study of infrastructure, toolsets, and methodologies, the risk that these campaigns pose to utilities providers is clear. The profile of this campaign is indicative of specific risk to US-based entities in the utilities sector."

The report includes indicators of compromise that other utilities can use to help determine if they have been targeted or infected.

Promoted Comments

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

Part of the problem is that a lot of really stupid legitimate emails fly around in every company from the PHBs. What's worse is those same PHBs almost always think they're very stable geniuses that need access to everything.

Given I've never met an executive type that thought good op-sec practices apply to them, I'm not really sure what can be done.

...The Office GPOs allow you to fairly easily lock down macro settings(off, signed only, off except for files in defined 'trusted locations', off for files marked as internet origin; probably off except for whitelisted publisher signatures, though I've not specifically checked that one); which eliminates the problem.

Except that, when a user received a document that actually does depend on macros(invariably unsigned or signed with a deeply expired key from a defunct entity) and it breaks; guess who they come whining to?...

I recently dealt with this at my organization, and I met in the middle with the business on this.

I sent out a survey to the organization asking who actually uses macros, and if so, what their business justification is for using macros. Of ~500 end users, 20 had an actual justification, and they are the only ones who aren't targeted by the GPO I rolled out that blocks macros in MS Office.

Those 20 users are the only ones in the organization who I have to worry about being compromised by a macro vulnerability.

As much as we would like security in IT to be binary, it isn't and sometimes exceptions need to be made to balance that need for security with the needs of the business. Having technology leadership that adheres to that philosophy, and advocates for their IT team and their recommendations, usually can result in an outcome that everyone is happy with.

106 Reader Comments

How effective are these macro attacks? It seems like a rather naive attack. Word prompts you when you open up a document with macros. Beyond that, it seems like the virus scanner ought to have caught that. If a document with macros was needed for a job function, it could be shared some way other than email.

In this line: Another way WinGup avoided detection: a dynamic link library appeared to be a legitimate DLL file for the software tool libcurl except for a single exported function." I think you mean "LookBack" not "WinGup".

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

Because we're living the dream portrayed in the documentary "Idiocracy".

How effective are these macro attacks? It seems like a rather naive attack. Word prompts you when you open up a document with macros. Beyond that, it seems like the virus scanner ought to have caught that. If a document with macros was needed for a job function, it could be shared some way other than email.

The problem with macros is substantially historical/entrenched bad practice rather than technical.

The Office GPOs allow you to fairly easily lock down macro settings(off, signed only, off except for files in defined 'trusted locations', off for files marked as internet origin; probably off except for whitelisted publisher signatures, though I've not specifically checked that one); which eliminates the problem.

Except that, when a user received a document that actually does depend on macros(invariably unsigned or signed with a deeply expired key from a defunct entity) and it breaks; guess who they come whining to?

Because documents that depend on macros are a real thing out there, IT often can't get away with shutting them off; and users often will fall for either the instinct to just click anything that pops up; or for a bugged document that has a user-visible "please enable macros to see the content" message written at the top.

If you are getting hit by macro attacks because IT doesn't know how to turn that feature off; your IT sucks.

However, IT almost certainly knows how to tick the box; but knows that they can't get away with it unless they exhaustively whitelist all the crevices where macros are being used for legitimate purposes; and that kind of anthropological fieldwork is a vastly more challenging job. Should still be done, especially if you have the glorious opportunity of a relatively 'greenfield' setup without accumulation of this-shared-spreadsheet-is-basically-our-ERP-system.xls horrors; but most don't have that luxury.

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

Part of the problem is that a lot of really stupid legitimate emails fly around in every company from the PHBs. What's worse is those same PHBs almost always think they're very stable geniuses that need access to everything.

Given I've never met an executive type that thought good op-sec practices apply to them, I'm not really sure what can be done.

How effective are these macro attacks? It seems like a rather naive attack. Word prompts you when you open up a document with macros. Beyond that, it seems like the virus scanner ought to have caught that. If a document with macros was needed for a job function, it could be shared some way other than email.

The problem with macros is substantially historical/entrenched bad practice rather than technical.

The Office GPOs allow you to fairly easily lock down macro settings(off, signed only, off except for files in defined 'trusted locations', off for files marked as internet origin; probably off except for whitelisted publisher signatures, though I've not specifically checked that one); which eliminates the problem.

Except that, when a user received a document that actually does depend on macros(invariably unsigned or signed with a deeply expired key from a defunct entity) and it breaks; guess who they come whining to?

Because documents that depend on macros are a real thing out there, IT often can't get away with shutting them off; and users often will fall for either the instinct to just click anything that pops up; or for a bugged document that has a user-visible "please enable macros to see the content" message written at the top.

If you are getting hit by macro attacks because IT doesn't know how to turn that feature off; your IT sucks.

However, IT almost certainly knows how to tick the box; but knows that they can't get away with it unless they exhaustively whitelist all the crevices where macros are being used for legitimate purposes; and that kind of anthropological fieldwork is a vastly more challenging job. Should still be done, especially if you have the glorious opportunity of a relatively 'greenfield' setup without accumulation of this-shared-spreadsheet-is-basically-our-ERP-system.xls horrors; but most don't have that luxury.

Ideally there'd be a way to allow macros sent from internal sources to run but not external. I'm sure there would be exceptions needed but it's hard to imagine that it would be many, especially for Word docs.

Now we can't even trust Word docs from email? What's next? Executables in zip files!??

In a minute you'll be telling me we can't even allow Autorun on random CDs and memory sticks. Oh what desperate times are these... ;-)

What's alarming about the USB case is that it has good ways to get around basic autorun blocking.

I was horrified by one case where a credit card company sent me a promotional USB device, looked like a credit card, branded with their logos and stuff, little USB connector folded out. If inserted it emulated an Apple USB keyboard(not sure exactly why them; but that's the device ID they chose); and then automatically sent some keystrokes to the host system to open a browser and bring up their promotional website. Naturally, since they were trying to track impressions from the campaign and had likely farmed it out to a 3rd party; the actual URL wasn't even the company one; but some deeply sketchy looking 3rd party domain with a lot of encoded bits in the URL that redirected to the company's site.

The hardware could only have been a better malice tool if it had included some onboard flash to store an exploit toolkit in case of lack of connectivity; and yet a credit card issuer was using it as a promotional tool. Insane.

Anecdote aside, USB devices are just alarmingly well suited to shapeshift, which makes them scary powerful. I don't think any contemporary OS falls for autorun.ini anymore; but a flash drive that's actually a USB composite device with an emulated keyboard can certainly fix that; and there are enough legitimate cases of shapeshifting that you can't just blanket ban(most phones do it if you change transfer mode or activate/deactivate tethering, some lousy peripherals emulate disks with antique drivers on them, etc.)

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

I'd like to think otherwise, but experience with my company's constant phishing reminders, fake-phishing-attack test emails, and several trainings tell me you're absolutely right. We have an older guy (not remotely computer-savvy) who printed off a Word doc attached to one of these (thankfully IT-sponsored) phishing tests. A facepalm was the only response most of us gave him.

How effective are these macro attacks? It seems like a rather naive attack. Word prompts you when you open up a document with macros. Beyond that, it seems like the virus scanner ought to have caught that. If a document with macros was needed for a job function, it could be shared some way other than email.

The problem with macros is substantially historical/entrenched bad practice rather than technical.

The Office GPOs allow you to fairly easily lock down macro settings(off, signed only, off except for files in defined 'trusted locations', off for files marked as internet origin; probably off except for whitelisted publisher signatures, though I've not specifically checked that one); which eliminates the problem.

Except that, when a user received a document that actually does depend on macros(invariably unsigned or signed with a deeply expired key from a defunct entity) and it breaks; guess who they come whining to?

Because documents that depend on macros are a real thing out there, IT often can't get away with shutting them off; and users often will fall for either the instinct to just click anything that pops up; or for a bugged document that has a user-visible "please enable macros to see the content" message written at the top.

If you are getting hit by macro attacks because IT doesn't know how to turn that feature off; your IT sucks.

However, IT almost certainly knows how to tick the box; but knows that they can't get away with it unless they exhaustively whitelist all the crevices where macros are being used for legitimate purposes; and that kind of anthropological fieldwork is a vastly more challenging job. Should still be done, especially if you have the glorious opportunity of a relatively 'greenfield' setup without accumulation of this-shared-spreadsheet-is-basically-our-ERP-system.xls horrors; but most don't have that luxury.

Ideally there'd be a way to allow macros sent from internal sources to run but not external. I'm sure there would be exceptions needed but it's hard to imagine that it would be many, especially for Word docs.

At least with 2016 there is the "Block macros from running in Office files from the Internet" option. As long as the zone.origin alternative data stream is present and set correctly(ZoneID 0 is local machine, 1 is local intranet, 2 trusted sites, 3 internet; and 4 restricted sites, with those definitions meaning the same thing they are configured to mean in IE zone settings). I'd assume that Outlook does set attachments as internet zone, possibly with the ability to define certain senders or other conditions as functionally local intranet, local, or trusted; so this setting gets you most of the way to what you want without having to delve into the delightful world of getting people to actually sign their macros(obviously that's the true correct answer; but in most cases asking users to 'sign your macros' would get you a desk covered in printed documents signed in blue pen; and rolling out organizational PKI down to individual user certs is nontrivial in any case).

I'm not sure offhand if you can block a user from stripping zone information from a file they have modify access to(by default you can do it; but it's a manual step); but even if you can't stop those truly dedicated to stupidity it's an extra speed bump compared to the default "block with notification", which users can bypass all too easily; or "block unsigned", which might as well be 'disable macros' in most environments.

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

Part of the problem is that a lot of really stupid legitimate emails fly around in every company from the PHBs. What's worse is those same PHBs almost always think they're very stable geniuses that need access to everything.

Given I've never met an executive type that thought good op-sec practices apply to them, I'm not really sure what can be done.

I'm always tempted to try to sell the less cooperative suits on the "it's like having a tech-bodyguard; because someone as important as you had people gunning for him" theory. People seem to accept the idea that bodyguards get to body-check you into the ground when the alternative seems worse, so it'd be nice if it worked.

Unfortunately, I doubt it would. IT threats are the combination of "everywhere" and "mostly invisible" that just makes people's risk sense shut down.

Closest I've gotten was when a Global VP tried the "Do you know who I am?" thing when I told him(politely, and with maximum flexibility to accommodate his schedule) that I'd need to take his laptop to set up full disk encryption. He responded unhappily, I told him "yeah, I know who you are: Global VP of X, more or less total access to a wide range of extremely important and commercially sensitive planning and financial data; frequent traveller to a wide range of destinations on business, substantial approval powers for expenses that don't count as capital budget or require explicit approval from Finance or Legal. You, sir, are a very, very, high value target."

I don't think he was flattered; but at least he cooperated after that.

Stories like this (and my experiences at work) make me think:- text-only for email, at least on any computer/device with access to sensitive resources- work communication and document sharing through some more secure channel than email (MS Teams? Slack? End-to-end encrypted chat software? ...)

(Also, it frequently annoys me when colleagues send messages in email/Teams/Yammer etc. with all the content in an attachment, when they could just say it in the message body; now maybe I have a security argument too!

I installed a bunch of in touchscreen kiosks in an energy company's heritage exhibit a few years ago. Early on they wanted a call to figure out how to lock down what we were putting in place. On the call was everybody from facilities to IT to networking to the CIO's assistant to their homeland security compliance officer. I was impressed how careful they were. Good for them.

Edit: Oops, forgot to mention a salient detail: these were air gapped computers with static content that needed no networking, and they were still that careful.

Ideally there'd be a way to allow macros sent from internal sources to run but not external. I'm sure there would be exceptions needed but it's hard to imagine that it would be many, especially for Word docs.

Ideally, internal "within the firewall" document exchange would use a more secure channel than an internet-connected email service, with more reliable authentication of who a message is really from.

Also, i am an African princess with millions of dollars, please give me all your bank information so i can give you some free money for absolutely no logical reason...

Finally, i am your long-lost relative, and i need to give you the deed to a whole bunch or real estate, please give me your SSN, your DOB, mother's maiden name, address, place of birth, etc.. it's all for completely legitimate reasons, i assure you!

Thank you!

PS: also, please give me your email account's password...

When I worked for a local ISP we would have people plain text emailing or leaving voicemails of their credit card information. They usually did this because for some reason their previous card was compromised.

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

The real issue, for the people who have to open those emails anyways.

We receive Purchase orders in text, PDF's, and DOC's files all the time. if you do not click n it and open it you can't view it. until then you can't always determine if it is legitimate.

PDF's are generally used but we have had a few of those trapped as well. The worse ones are companies who host their Purchase orders on their websites so you have to click on a strange link to view it. and they think it is more secure. (it is usually done by the big name companies)

So you need to send private authorization to order stuff to someone? who do you do it?

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

Because we're living the dream portrayed in the documentary "Idiocracy".

some people aren't into tech, and the news related. they just use the computer for work then they're out. it's not that people are dumb, they aren't interested in the topic.

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

Part of the problem is that a lot of really stupid legitimate emails fly around in every company from the PHBs. What's worse is those same PHBs almost always think they're very stable geniuses that need access to everything.

Given I've never met an executive type that thought good op-sec practices apply to them, I'm not really sure what can be done.

In our company everything from an external mail source gets flagged at the top of the email in red "External email, exercise caution in contents, links and attachments, report suspicious emails to .... "

People literally ignore that if the email has a name of a person in the company they know even if the address is totally fucked and the email makes no sense.

People see what they want to see and ignore the rest. I don't know how many machines we've had to flatten an reload because of crap like that. Not to mention things like Office 365 fake logins. Since everyone has 2 factor authentication that's at least helped quite a lot and accounts are automatically locked if the system sees login attempts that geographically shouldn't be possible, but I don't know how you can prevent people from being complete idiots. Especially since some of these are very well crafted.

We do twice yearly tests sending out emails that show us who is falling for it, those that get flagged have to go through some additional training, and we are constantly sending out notes on what to be on the lookout for when we see a flood of emails coming in but there is only so much you can do. You have to have all your systems patched, and rights limited to users only having access to what they need. Your going to get hit at some point.

Default Office policy (since early 2000s afaik) is to block ALL macros, with no option for the user to enable, unless the file is explicitly put into a specific directory or directories buried in Office's program files. This, of course, can be changed by an advanced user but I'm failing to come up with a reason why any sane person ever would in this age. Not to mention that anything with the Mark of the Web would be slapped down as well.

You really have to fail on several, several levels to get hacked by macros.

I installed a bunch of in touchscreen kiosks in an energy company's heritage exhibit a few years ago. Early on they wanted a call to figure out how to lock down what we were putting in place. On the call was everybody from facilities to IT to networking to the CIO's assistant to their homeland security compliance officer. I was impressed how careful they were. Good for them.

Edit: Oops, forgot to mention a salient detail: these were air gapped computers with static content that needed no networking, and they were still that careful.

Well sports fan, that was an exception.

I work for <insert giant tech firm here> and we have 99% of the Fortune 500 as clients.

Sherrod DeGrippo, Proofpoint's senior director of threat research and detection, said his company was able to block all phishing attempts used against the three customers in this campaign. The researcher said it's not clear if there were other targets or if any of them were infected.

...The Office GPOs allow you to fairly easily lock down macro settings(off, signed only, off except for files in defined 'trusted locations', off for files marked as internet origin; probably off except for whitelisted publisher signatures, though I've not specifically checked that one); which eliminates the problem.

Except that, when a user received a document that actually does depend on macros(invariably unsigned or signed with a deeply expired key from a defunct entity) and it breaks; guess who they come whining to?...

I recently dealt with this at my organization, and I met in the middle with the business on this.

I sent out a survey to the organization asking who actually uses macros, and if so, what their business justification is for using macros. Of ~500 end users, 20 had an actual justification, and they are the only ones who aren't targeted by the GPO I rolled out that blocks macros in MS Office.

Those 20 users are the only ones in the organization who I have to worry about being compromised by a macro vulnerability.

As much as we would like security in IT to be binary, it isn't and sometimes exceptions need to be made to balance that need for security with the needs of the business. Having technology leadership that adheres to that philosophy, and advocates for their IT team and their recommendations, usually can result in an outcome that everyone is happy with.

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

I have issues with those tactics though -- I've been burned both ways, let me explain why for a moment.

I used to be super suspicious about any slightly generic email or email I didn't recognize the sender.

Fast forward until I worked for a company that decided to outsource training. I get this email "Dear user" how its super important I have to do this mandatory training before the week or I'll get in trouble and I need to click <really long link to a domain I didn't recognize> and then log in with my workplace domain, username, and password.

Sounds sketch, right? I mean how many of the signs of suspicion are there? I deleted it.

Fast forward another week, I get called into my managers office. Some high-up at corporate was flipping that I was a week overdue on mandatory cybersecurity training. If I didn't drop everything and do it RIGHT THEN they'd terminate my access...and I no longer had the link to do it which made the high ups more upset I deleted critical training.

I think that happened twice.

A while later they implemented fake phishing...one of the tests sent out a thing about "mandatory training" and "have to act immediately". Not being one to get yelled at a 3rd time for failing to do mandatory training, what would you suppose I did?

Then we were trying to procure software shortly after being bought by another company. We knew the request was being routed to "some other group in charge of quotes" and they "would get back to us". So, when several of us got an email with an attached quote for "your requested software" what would you suppose we all did with that email? If you guessed we opened the attachment that we believed we were expecting...

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

I have issues with those tactics though -- I've been burned both ways, let me explain why for a moment.

I used to be super suspicious about any slightly generic email or email I didn't recognize the sender.

Fast forward until I worked for a company that decided to outsource training. I get this email "Dear user" how its super important I have to do this mandatory training before the week or I'll get in trouble and I need to click <really long link to a domain I didn't recognize> and then log in with my workplace domain, username, and password.

Sounds sketch, right? I mean how many of the signs of suspicion are there? I deleted it.

Fast forward another week, I get called into my managers office. Some high-up at corporate was flipping that I was a week overdue on mandatory cybersecurity training. If I didn't drop everything and do it RIGHT THEN they'd terminate my access...and I no longer had the link to do it which made the high ups more upset I deleted critical training.

I think that happened twice.

A while later they implemented fake phishing...one of the tests sent out a thing about "mandatory training" and "have to act immediately". Not being one to get yelled at a 3rd time for failing to do mandatory training, what would you suppose I did?

Then we were trying to procure software shortly after being bought by another company. We knew the request was being routed to "some other group in charge of quotes" and they "would get back to us". So, when several of us got an email with an attached quote for "your requested software" what would you suppose we all did with that email? If you guessed we opened the attachment that we believed we were expecting...

So yeah. Damned if you do, damned if you don't.

Wait, you didn't think to ask your manager to confirm if it was legit after the first time?

I run phishing tests for my company, if anyone thinks this isn't effective they'd be shocked by what people really click on. The slightest bit of customization, even the company or city name in the subject line can literally double your click through rate.

I have issues with those tactics though -- I've been burned both ways, let me explain why for a moment.

I used to be super suspicious about any slightly generic email or email I didn't recognize the sender.

Fast forward until I worked for a company that decided to outsource training. I get this email "Dear user" how its super important I have to do this mandatory training before the week or I'll get in trouble and I need to click <really long link to a domain I didn't recognize> and then log in with my workplace domain, username, and password.

Sounds sketch, right? I mean how many of the signs of suspicion are there? I deleted it.

Fast forward another week, I get called into my managers office. Some high-up at corporate was flipping that I was a week overdue on mandatory cybersecurity training. If I didn't drop everything and do it RIGHT THEN they'd terminate my access...and I no longer had the link to do it which made the high ups more upset I deleted critical training.

I think that happened twice.

A while later they implemented fake phishing...one of the tests sent out a thing about "mandatory training" and "have to act immediately". Not being one to get yelled at a 3rd time for failing to do mandatory training, what would you suppose I did?

Then we were trying to procure software shortly after being bought by another company. We knew the request was being routed to "some other group in charge of quotes" and they "would get back to us". So, when several of us got an email with an attached quote for "your requested software" what would you suppose we all did with that email? If you guessed we opened the attachment that we believed we were expecting...

So yeah. Damned if you do, damned if you don't.

Wait, you didn't think to ask your manager to confirm if it was legit after the first time?

They didn't know because it came directly from the outsourced company. My manager only found out when they got the "failure of compliance" notice for an employee under them.

My "manager" was/is just a more senior engineer, not like a training/people person. The HR types and training people are/were at some other office who knows where.